[selinux-policy: 1043/3172] policy-20051208.patch from dan, plus a few adjustments

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:35:05 UTC 2010 

commit 049e11af3026b9548f601d86b5c2412405a07f56
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Dec 9 15:42:39 2005 +0000

    policy-20051208.patch from dan, plus a few adjustments

 refpolicy/Makefile                                 |    7 +---
 refpolicy/Rules.modular                            |    9 ++++
 refpolicy/Rules.monolithic                         |   11 +++++-
 .../config/appconfig-targeted-mcs/default_contexts |    5 +-
 .../config/appconfig-targeted-mls/default_contexts |    5 +-
 .../config/appconfig-targeted/default_contexts     |    5 +-
 refpolicy/policy/modules/admin/su.if               |    9 ++--
 refpolicy/policy/modules/admin/su.te               |    2 +-
 refpolicy/policy/modules/kernel/filesystem.te      |    3 +-
 refpolicy/policy/modules/services/canna.te         |    3 +-
 refpolicy/policy/modules/services/cups.te          |    4 +-
 refpolicy/policy/modules/services/dbus.te          |    4 +-
 refpolicy/policy/modules/services/ftp.te           |   32 ++++++++-------
 refpolicy/policy/modules/services/hal.te           |   41 ++++++++++++--------
 refpolicy/policy/modules/services/mta.te           |   11 +-----
 refpolicy/policy/modules/services/sasl.te          |    4 +-
 refpolicy/policy/modules/services/spamassassin.te  |    4 ++
 refpolicy/policy/modules/services/xdm.te           |    8 +--
 refpolicy/policy/modules/system/hostname.te        |    3 +-
 refpolicy/policy/modules/system/init.if            |   32 ---------------
 refpolicy/policy/modules/system/libraries.fc       |    8 +++-
 refpolicy/policy/modules/system/libraries.te       |   10 +---
 refpolicy/policy/modules/system/locallogin.te      |    7 ---
 refpolicy/policy/modules/system/mount.te           |    3 +-
 24 files changed, 107 insertions(+), 123 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 0e39ad2..9122171 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -137,7 +137,7 @@ M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
 
 APPCONF := config/appconfig-$(TYPE)
 APPDIR := $(CONTEXTPATH)
-APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
+APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
 CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
 USER_FILES := $(POLDIR)/users
 
@@ -274,11 +274,6 @@ $(APPDIR)/removable_context: $(APPCONF)/removable_context
 	@mkdir -p $(APPDIR)
 	$(QUIET) install -m 644 $< $@
 
-$(APPDIR)/customizable_types: policy.conf
-	@mkdir -p $(APPDIR)
-	$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
-	$(QUIET) install -m 644 tmp/customizable_types $@ 
-
 $(APPDIR)/default_type: $(APPCONF)/default_type
 	@mkdir -p $(APPDIR)
 	$(QUIET) install -m 644 $< $@
diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
index a152bae..d988436 100644
--- a/refpolicy/Rules.modular
+++ b/refpolicy/Rules.modular
@@ -170,6 +170,15 @@ endif
 
 ########################################
 #
+# Appconfig files
+#
+$(APPDIR)/customizable_types: base.conf
+	@mkdir -p $(APPDIR)
+	$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
+	$(QUIET) install -m 644 tmp/customizable_types $@ 
+
+########################################
+#
 # Clean the sources
 #
 clean:
diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic
index 652bece..0d6aa7d 100644
--- a/refpolicy/Rules.monolithic
+++ b/refpolicy/Rules.monolithic
@@ -12,7 +12,7 @@ HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
 FC := file_contexts
 POLVER := policy.$(PV)
 
-APPFILES += $(APPDIR)/customizable_types $(INSTALLDIR)/booleans
+APPFILES += $(INSTALLDIR)/booleans
 
 # for monolithic policy use all base and module to create policy
 ALL_MODULES := $(strip $(BASE_MODS) $(MOD_MODS))
@@ -228,6 +228,15 @@ longcheck: policy.conf $(FC)
 
 ########################################
 #
+# Appconfig files
+#
+$(APPDIR)/customizable_types: policy.conf
+	@mkdir -p $(APPDIR)
+	$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
+	$(QUIET) install -m 644 tmp/customizable_types $@ 
+
+########################################
+#
 # Clean the sources
 #
 clean:
diff --git a/refpolicy/config/appconfig-targeted-mcs/default_contexts b/refpolicy/config/appconfig-targeted-mcs/default_contexts
index 1a98643..b3dddce 100644
--- a/refpolicy/config/appconfig-targeted-mcs/default_contexts
+++ b/refpolicy/config/appconfig-targeted-mcs/default_contexts
@@ -1,8 +1,9 @@
-system_r:unconfined_t:s0	system_r:unconfined_t:s0
+system_r:crond_t:s0		system_r:unconfined_t:s0
 system_r:initrc_t:s0		system_r:unconfined_t:s0
 system_r:local_login_t:s0	system_r:unconfined_t:s0
 system_r:remote_login_t:s0	system_r:unconfined_t:s0
 system_r:rshd_t:s0		system_r:unconfined_t:s0
-system_r:crond_t:s0		system_r:unconfined_t:s0
 system_r:sshd_t:s0		system_r:unconfined_t:s0
 system_r:sysadm_su_t:s0		system_r:unconfined_t:s0
+system_r:unconfined_t:s0	system_r:unconfined_t:s0
+system_r:xdm_t:s0		system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mls/default_contexts b/refpolicy/config/appconfig-targeted-mls/default_contexts
index 1a98643..b3dddce 100644
--- a/refpolicy/config/appconfig-targeted-mls/default_contexts
+++ b/refpolicy/config/appconfig-targeted-mls/default_contexts
@@ -1,8 +1,9 @@
-system_r:unconfined_t:s0	system_r:unconfined_t:s0
+system_r:crond_t:s0		system_r:unconfined_t:s0
 system_r:initrc_t:s0		system_r:unconfined_t:s0
 system_r:local_login_t:s0	system_r:unconfined_t:s0
 system_r:remote_login_t:s0	system_r:unconfined_t:s0
 system_r:rshd_t:s0		system_r:unconfined_t:s0
-system_r:crond_t:s0		system_r:unconfined_t:s0
 system_r:sshd_t:s0		system_r:unconfined_t:s0
 system_r:sysadm_su_t:s0		system_r:unconfined_t:s0
+system_r:unconfined_t:s0	system_r:unconfined_t:s0
+system_r:xdm_t:s0		system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted/default_contexts b/refpolicy/config/appconfig-targeted/default_contexts
index dee752d..d91373a 100644
--- a/refpolicy/config/appconfig-targeted/default_contexts
+++ b/refpolicy/config/appconfig-targeted/default_contexts
@@ -1,8 +1,9 @@
-system_r:unconfined_t		system_r:unconfined_t
+system_r:crond_t		system_r:unconfined_t
 system_r:initrc_t		system_r:unconfined_t
 system_r:local_login_t		system_r:unconfined_t
 system_r:remote_login_t		system_r:unconfined_t
 system_r:rshd_t			system_r:unconfined_t
-system_r:crond_t		system_r:unconfined_t
 system_r:sshd_t			system_r:unconfined_t
 system_r:sysadm_su_t		system_r:unconfined_t
+system_r:unconfined_t		system_r:unconfined_t
+system_r:xdm_t			system_r:unconfined_t
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 9fd6679..95a87c2 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -43,6 +43,11 @@ template(`su_restricted_domain_template', `
 	# for SSP
 	dev_read_urand($1_su_t)
 
+	files_read_etc_files($1_su_t)
+	files_read_etc_runtime_files($1_su_t)
+	files_search_var_lib($1_su_t)
+	files_dontaudit_getattr_tmp_dir($1_su_t)
+
 	selinux_get_fs_mount($1_su_t)
 	selinux_validate_context($1_su_t)
 	selinux_compute_access_vector($1_su_t)
@@ -56,10 +61,6 @@ template(`su_restricted_domain_template', `
 
 	domain_use_wide_inherit_fd($1_su_t)
 
-	files_read_etc_files($1_su_t)
-	files_read_etc_runtime_files($1_su_t)
-	files_search_var_lib($1_su_t)
-
 	init_dontaudit_use_fd($1_su_t)
 	init_dontaudit_use_script_pty($1_su_t)
 	# Write to utmp.
diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te
index 65aaf77..9078ccf 100644
--- a/refpolicy/policy/modules/admin/su.te
+++ b/refpolicy/policy/modules/admin/su.te
@@ -1,5 +1,5 @@
 
-policy_module(su,1.0.1)
+policy_module(su,1.1.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index df2bf26..9b0e3ff 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.0.1)
+policy_module(filesystem,1.1.1)
 
 ########################################
 #
@@ -22,6 +22,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
 # Requires that a security xattr handler exist for the filesystem.
 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te
index b119afe..a39ac7f 100644
--- a/refpolicy/policy/modules/services/canna.te
+++ b/refpolicy/policy/modules/services/canna.te
@@ -1,5 +1,5 @@
 
-policy_module(canna,1.0)
+policy_module(canna,1.1.1)
 
 ########################################
 #
@@ -47,7 +47,6 @@ files_create_pid(canna_t, canna_var_run_t, { file sock_file })
 
 kernel_read_kernel_sysctl(canna_t)
 kernel_read_system_state(canna_t)
-kernel_dontaudit_use_fd(canna_t)
 
 corenet_tcp_sendrecv_all_if(canna_t)
 corenet_raw_sendrecv_all_if(canna_t)
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 1ff7d20..05aed4c 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
 
-policy_module(cups,1.0.3)
+policy_module(cups,1.1.1)
 
 ########################################
 #
@@ -505,6 +505,8 @@ allow cupsd_config_t cupsd_etc_t:file create_file_perms;
 allow cupsd_config_t cupsd_etc_t:lnk_file create_lnk_perms;
 type_transition cupsd_config_t cupsd_etc_t:file cupsd_rw_etc_t;
 
+allow cupsd_config_t cupsd_log_t:file rw_file_perms;
+
 allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms;
 allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
 allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 64d25a9..75bdf43 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
 
-policy_module(dbus,1.0.2)
+policy_module(dbus,1.1.1)
 
 gen_require(`
 	class dbus { send_msg acquire_svc };
@@ -32,7 +32,7 @@ files_pid_file(system_dbusd_var_run_t)
 # cjp: dac_override should probably go in a distro_debian
 allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
 dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr signal_perms };
+allow system_dbusd_t self:process { getattr signal_perms setcap };
 allow system_dbusd_t self:fifo_file { read write };
 allow system_dbusd_t self:dbus { send_msg acquire_svc };
 allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 1a83d1c..0b90109 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
 
-policy_module(ftp,1.0.2)
+policy_module(ftp,1.1.1)
 
 ########################################
 #
@@ -71,8 +71,11 @@ kernel_read_system_state(ftpd_t)
 dev_read_sysfs(ftpd_t)
 dev_read_urand(ftpd_t)
 
-fs_search_auto_mountpoints(ftpd_t)
-fs_getattr_all_fs(ftpd_t)
+corecmd_exec_bin(ftpd_t)
+corecmd_exec_sbin(ftpd_t)
+# Execute /bin/ls (can comment this out for proftpd)
+# also may need rules to allow tar etc...
+corecmd_exec_ls(ftpd_t)
 
 corenet_tcp_sendrecv_all_if(ftpd_t)
 corenet_udp_sendrecv_all_if(ftpd_t)
@@ -89,26 +92,25 @@ corenet_tcp_bind_ftp_data_port(ftpd_t)
 corenet_tcp_bind_generic_port(ftpd_t)
 corenet_tcp_connect_all_ports(ftpd_t)
 
+domain_use_wide_inherit_fd(ftpd_t)
+
+files_search_etc(ftpd_t)
+files_read_etc_files(ftpd_t)
+files_read_etc_runtime_files(ftpd_t)
+files_search_var_lib_dir(ftpd_t)
+
+fs_search_auto_mountpoints(ftpd_t)
+fs_getattr_all_fs(ftpd_t)
+
 term_dontaudit_use_console(ftpd_t)
 
+auth_use_nsswitch(ftpd_t)
 auth_domtrans_chk_passwd(ftpd_t)
 # Append to /var/log/wtmp.
 auth_append_login_records(ftpd_t)
 #kerberized ftp requires the following
 auth_write_login_records(ftpd_t)
 
-corecmd_exec_bin(ftpd_t)
-corecmd_exec_sbin(ftpd_t)
-# Execute /bin/ls (can comment this out for proftpd)
-# also may need rules to allow tar etc...
-corecmd_exec_ls(ftpd_t)
-
-domain_use_wide_inherit_fd(ftpd_t)
-
-files_search_etc(ftpd_t)
-files_read_etc_files(ftpd_t)
-files_read_etc_runtime_files(ftpd_t)
-
 init_use_fd(ftpd_t)
 init_use_script_pty(ftpd_t)
 
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 8f5a8f3..9bb932a 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.0.4)
+policy_module(hal,1.1.1)
 
 ########################################
 #
@@ -23,11 +23,13 @@ files_pid_file(hald_var_run_t)
 
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
 dontaudit hald_t self:capability sys_tty_config;
-allow hald_t self:process signal_perms;
+# vbetool requires execmem
+allow hald_t self:process { execmem signal_perms };
 allow hald_t self:fifo_file rw_file_perms;
 allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow hald_t self:unix_dgram_socket create_socket_perms;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
+allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hald_t self:tcp_socket create_stream_socket_perms;
 allow hald_t self:udp_socket create_socket_perms;
@@ -47,6 +49,9 @@ kernel_read_network_state(hald_t)
 kernel_read_kernel_sysctl(hald_t)
 kernel_write_proc_file(hald_t)
 
+corecmd_exec_bin(hald_t)
+corecmd_exec_sbin(hald_t)
+
 corenet_tcp_sendrecv_all_if(hald_t)
 corenet_udp_sendrecv_all_if(hald_t)
 corenet_raw_sendrecv_all_if(hald_t)
@@ -59,7 +64,6 @@ corenet_non_ipsec_sendrecv(hald_t)
 corenet_tcp_bind_all_nodes(hald_t)
 corenet_udp_bind_all_nodes(hald_t)
 
-dev_read_sysfs(hald_t)
 dev_rw_usbfs(hald_t)
 dev_read_urand(hald_t)
 dev_read_input(hald_t)
@@ -68,6 +72,20 @@ dev_rw_printer(hald_t)
 dev_read_lvm_control(hald_t)
 dev_getattr_all_chr_files(hald_t)
 dev_manage_generic_chr_file(hald_t)
+# hal is now execing pm-suspend
+dev_rw_sysfs(hald_t)
+
+domain_use_wide_inherit_fd(hald_t)
+domain_exec_all_entry_files(hald_t)
+
+files_exec_etc_files(hald_t)
+files_read_etc_files(hald_t)
+files_rw_etc_runtime_files(hald_t)
+files_search_mnt(hald_t)
+files_search_var_lib(hald_t)
+files_read_usr_files(hald_t)
+# hal is now execing pm-suspend
+files_create_boot_flag(hald_t)
 
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
@@ -87,19 +105,6 @@ storage_raw_write_fixed_disk(hald_t)
 
 term_dontaudit_use_console(hald_t)
 
-corecmd_exec_bin(hald_t)
-corecmd_exec_sbin(hald_t)
-
-domain_use_wide_inherit_fd(hald_t)
-domain_exec_all_entry_files(hald_t)
-
-files_exec_etc_files(hald_t)
-files_read_etc_files(hald_t)
-files_rw_etc_runtime_files(hald_t)
-files_search_mnt(hald_t)
-files_search_var_lib(hald_t)
-files_read_usr_files(hald_t)
-
 init_use_fd(hald_t)
 init_use_script_pty(hald_t)
 
@@ -171,6 +176,10 @@ optional_policy(`nscd',`
 	nscd_use_socket(hald_t)
 ')
 
+optional_policy(`ntp',`
+	ntp_domtrans(hald_t)
+')
+
 optional_policy(`pcmcia',`
 	pcmcia_manage_pid(hald_t)
 	pcmcia_manage_runtime_chr(hald_t)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 810d711..ea66396 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
 
-policy_module(mta,1.0.4)
+policy_module(mta,1.1.1)
 
 ########################################
 #
@@ -57,15 +57,6 @@ init_use_script_pty(system_mail_t)
 
 userdom_use_sysadm_terms(system_mail_t)
 
-ifdef(`hide_broken_symptoms',`
-	# Red Hat systems seem to have a stray
-	# fds open from the initrd
-	ifdef(`distro_redhat',`
-		kernel_dontaudit_use_fd(system_mail_t)
-		storage_dontaudit_read_fixed_disk(system_mail_t)
-	')
-')
-
 ifdef(`targeted_policy',`
 	typealias system_mail_t alias sysadm_mail_t;
 
diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te
index c81a934..f1b37d4 100644
--- a/refpolicy/policy/modules/services/sasl.te
+++ b/refpolicy/policy/modules/services/sasl.te
@@ -18,6 +18,7 @@ files_pid_file(saslauthd_var_run_t)
 # Local policy
 #
 
+allow saslauthd_t self:capability setuid;
 dontaudit saslauthd_t self:capability sys_tty_config;
 allow saslauthd_t self:process signal_perms;
 allow saslauthd_t self:fifo_file { read write };
@@ -56,9 +57,10 @@ auth_use_nsswitch(saslauthd_t)
 domain_use_wide_inherit_fd(saslauthd_t)
 
 files_read_etc_files(saslauthd_t)
-files_read_etc_runtime_files(saslauthd_t)
+files_dontaudit_read_etc_runtime_files(saslauthd_t)
 files_search_var_lib(saslauthd_t)
 files_dontaudit_getattr_home_dir(saslauthd_t)
+files_dontaudit_getattr_tmp_dir(saslauthd_t)
 
 init_use_fd(saslauthd_t)
 init_use_script_pty(saslauthd_t)
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index ba7b467..3c6bdb9 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -73,6 +73,10 @@ corenet_non_ipsec_sendrecv(spamd_t)
 corenet_tcp_bind_all_nodes(spamd_t)
 corenet_udp_bind_all_nodes(spamd_t)
 corenet_tcp_bind_spamd_port(spamd_t)
+# spamassassin 3.1 needs this for its
+# DnsResolver.pm module which binds to
+# random ports >= 1024.
+corenet_udp_bind_generic_port(spamd_t)
 
 dev_read_sysfs(spamd_t)
 dev_read_urand(spamd_t)
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
index f38050e..6f12feb 100644
--- a/refpolicy/policy/modules/services/xdm.te
+++ b/refpolicy/policy/modules/services/xdm.te
@@ -6,11 +6,7 @@ policy_module(xdm,1.0.1)
 # Declarations
 #
 
-ifdef(`targeted_policy',`
-	unconfined_alias_domain(xdm_t)
-',`
-	type xdm_t;
-')
+type xdm_t;
 
 # real declaration moved to mls until
 # range_transition works in loadable modules
@@ -78,7 +74,9 @@ selinux_compute_user_contexts(xdm_t)
 files_read_etc_runtime_files(xdm_t)
 
 ifdef(`targeted_policy',`
+	allow xdm_t self:process execmem;
 	unconfined_domain_template(xdm_t)
+	unconfined_domtrans(xdm_t)
 ',`
 	allow xdm_t xdm_lock_t:file create_file_perms;
 	files_create_lock(xdm_t,xdm_lock_t)
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 1200282..bfc5fdb 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -1,5 +1,5 @@
 
-policy_module(hostname,1.0)
+policy_module(hostname,1.1.1)
 
 ########################################
 #
@@ -22,7 +22,6 @@ allow hostname_t self:capability sys_admin;
 allow hostname_t self:unix_stream_socket create_stream_socket_perms;
 dontaudit hostname_t self:capability sys_tty_config;
 
-kernel_dontaudit_use_fd(hostname_t)
 kernel_list_proc(hostname_t)
 kernel_read_proc_symlinks(hostname_t)
 
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 7c08d2c..38ab298 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -31,18 +31,6 @@ interface(`init_domain',`
 	allow init_t $1:fd use;
 	allow $1 init_t:fifo_file rw_file_perms;
 	allow $1 init_t:process sigchld;
-
-	# Red Hat systems seem to have stray
-	# fds open from the initrd
-	ifdef(`hide_broken_symptoms',`
-		# Red Hat systems seem to have a stray
-		# fds open from the initrd
-		ifdef(`distro_redhat',`
-			kernel_dontaudit_use_fd($1)
-			storage_dontaudit_read_fixed_disk($1)
-			files_dontaudit_read_root_file($1)
-		')
-	')
 ')
 
 ########################################
@@ -82,16 +70,6 @@ interface(`init_daemon_domain',`
 		typeattribute $2 direct_init_entry;
 	')
 
-	ifdef(`hide_broken_symptoms',`
-		# Red Hat systems seem to have a stray
-		# fds open from the initrd
-		ifdef(`distro_redhat',`
-			kernel_dontaudit_use_fd($1)
-			storage_dontaudit_read_fixed_disk($1)
-			files_dontaudit_read_root_file($1)
-		')
-	')
-
 	ifdef(`targeted_policy',`
 		# this regex is a hack, since it assumes there is a
 		# _t at the end of the domain type.  If there is no _t
@@ -163,16 +141,6 @@ interface(`init_system_domain',`
 	allow $1 initrc_t:fd use;
 	allow $1 initrc_t:fifo_file rw_file_perms;
 	allow $1 initrc_t:process sigchld;
-
-	ifdef(`hide_broken_symptoms',`
-		# Red Hat systems seem to have a stray
-		# fds open from the initrd
-		ifdef(`distro_redhat',`
-			kernel_dontaudit_use_fd($1)
-			storage_dontaudit_read_fixed_disk($1)
-			files_dontaudit_read_root_file($1)
-		')
-	')
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 28c1670..95104c1 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -62,7 +62,8 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/im/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/lib(64)?/iiim/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 
-/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* --	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/libGL(core)?\.so(\.[^/]*)* --	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
 
 /usr/(local/)?lib/wine/.*\.so  		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
@@ -103,7 +104,6 @@ ifdef(`distro_redhat',`
 /usr/lib/valgrind/hp2ps			--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib/valgrind/stage2		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib/valgrind/vg.*\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr/lib/.*/libxpcom_core.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib/.*/program/libicudata\.so.*	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib/.*/program/libsts645li\.so	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib/.*/program/libvclplug_gen645li\.so --	gen_context(system_u:object_r:texrel_shlib_t,s0)
@@ -113,6 +113,10 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/.*/program/libsvx680li\.so --	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib(64)?/.*/program/libsoffice\.so  --	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/firefox.*\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/mozilla.*\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/sunbird.*\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/thunderbird.*\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 
 # Fedora Extras packages: ladspa, imlib2, ocaml
 /usr/lib/ladspa/analogue_osc_1416\.so	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 7ba9087..79ac468 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.0.1)
+policy_module(libraries,1.1.1)
 
 ########################################
 #
@@ -42,12 +42,8 @@ ifdef(`targeted_policy',`
 # texrel_shlib_t is the type of shared objects in the system lib
 # directories, which require text relocation.
 #
-ifdef(`targeted_policy',`
-	typealias lib_t alias texrel_shlib_t;
-',`
-	type texrel_shlib_t;
-	files_type(texrel_shlib_t)
-')
+type texrel_shlib_t;
+files_type(texrel_shlib_t)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index a2116d1..b5cd6a1 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -168,13 +168,6 @@ userdom_use_unpriv_users_fd(local_login_t)
 # Search for mail spool file.
 mta_getattr_spool(local_login_t)
 
-# Red Hat systems seem to have a stray
-# fd open from the initrd
-ifdef(`distro_redhat',`
-	kernel_dontaudit_use_fd(local_login_t)
-	files_dontaudit_read_root_file(local_login_t)
-')
-
 ifdef(`targeted_policy',`
 	unconfined_domain_template(local_login_t)
 	unconfined_shell_domtrans(local_login_t)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 9c724ba..a3668f8 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
 
-policy_module(mount,1.0.1)
+policy_module(mount,1.1.1)
 
 ########################################
 #
@@ -26,7 +26,6 @@ allow mount_t mount_tmp_t:dir create_dir_perms;
 files_create_tmp_files(mount_t,mount_tmp_t,{ file dir })
 
 kernel_read_system_state(mount_t)
-kernel_dontaudit_use_fd(mount_t)
 
 corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)

More information about the scm-commits mailing list